Automated execution environments (sometimes referred to as “sandboxes”) are often used to facilitate controlled execution and/or observation of suspicious and/or unknown files. For example, an automated execution environment may execute a file sample to observe whether the file sample exhibits any potentially malicious behaviors. By executing and observing the file sample in this way, the automated execution environment may be able to determine that a file is malicious without exposing the underlying computing platform to certain risks associated with the malicious file.
Unfortunately, conventional automated execution environments may still have certain deficiencies and/or vulnerabilities that allow unscrupulous outsiders to gain access to the proprietary inner workings of those environments. For example, an unscrupulous outsider may develop a malicious file that is able to identify certain internal processes and/or mechanisms of an automated execution environment and then extract a description of those processes and/or mechanisms. This practice is sometimes referred to as an “enumeration attack.”
Enumeration attacks may serve their perpetrators in different ways. For example, a malware author may perform an enumeration attack on an automated execution environment in an effort to avoid any detection of malware by hiding certain malicious behaviors from the automated execution environment. Additionally or alternatively, a competing security developer and/or vendor may perform an enumeration attack on an automated execution environment in an effort to reverse-engineer the automated execution environment and/or obtain certain trade secrets from the competition.
The instant disclosure, therefore, identifies and addresses a need for additional and improved systems and methods for protecting automated execution environments against enumeration attacks.